Home > Others

Implement application service access restrictions by using IP address extended access list

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >


[Experiment Name] Extended IP address access list named www.2cto.com [Objective] To master the rules for the extended IP address access list named on the vswitch and configure [experiment function] to implement security control for mutual access between network segments lab device: layer-3 Switch (1 unit) PC (3), direct connection (3) [experiment topology] www.2cto.com [experiment step] Switch1 Switch> enableSwitch # configure terminalSwitch (config) # vlan 5 Switch (config-vlan) # exitSwitch (config) # vlan 10 Switch (config-vlan) # exitSwitch (config) # vlan 15 Switch (config-vlan) # exitSwitch (config) # interface vlan 5 Switch (config-if) # no shutdownSwitch (config-if) # ip Address 172.16.5.1 255.255.255.0Switch (config-if) # exitSwitch (config) # interface vlan 10 Switch (config-if) # no shutdownSwitch (config-if) # ip address 172.16.10.1 255.255.255.0Switch (config-if) # exitSwitch (config) # interface vlan 15 Switch (config-if) # no shutdownSwitch (config-if) # After configuring ip address 172.16.15.1 255.255.255.0! Next, this chapter focuses on network-wide interconnection! Using the IP address extended access list to implement access restrictions for the Application Service, we will configure the WWW Service that restricts the access of the student machine to the server here! (The rest are similar) Switch (config) # ip access-list extended cisco (set the extended list and name it cisco)
Switch (config-ext-nacl) # deny tcp 172.16.5.0 0.0.0.255 172.16.15.0 0.0.0.255 eq www (refuse the network segment 172.16.5.0 to access the WWW Service of the network segment 172.16.15.0 (you can write HTTP or 80 ). Use anti-mask)
Switch (config-ext-nacl) # permit ip any (deny) Another CIDR block must be peimit after a certain CIDR block is denied)
Switch (config-ext-nacl) # exit
Switch (config) # interface vlan 5
Switch (config-if) # ip access-group cisco in (apply the cisco extension list to the in direction of the vlan5 port)
Www.2cto.com next we will discuss why we should put the interface on vlan 5! This topology cannot be reflected! Let's imagine if there are N vswitches in the VLAN5 and the switch named extension list in this configuration to access the WWW Service of VLAN15! Then, the PC in VLAN5 sends data packets. After passing through N switches on the way, it reaches the switch in the configuration name extension list. Then, the switch finds the extension list and finds that it is blocked! Then discard the data packet. Is this a waste of bandwidth? Therefore, we need to add the extended access control list to the port closest to the restricted CIDR block! The most recent vlan 5 Interface in this figure! Let's take a closer look!
 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
access website using ip address access web page using ip address how to access website using ip address access site by ip godaddy access website via ip address using access linksys wireless g access point default ip address

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More